Description of problem:
When parsing a peer's supported HMAC authentication options in the sctp_auth_asoc_get_hmac() function, a malicious peer can craft their HMAC array in such a way as to cause memory corruption (out-of-bounds read followed by use of retrieved out-of-bounds data), which at the very least could cause a denial of service via kernel panic, and possibly worse. It appears this could be triggered remotely when connecting to a malicious peer, or locally by a user acting as both endpoints. In both cases, the "auth_enable" sysctl must be set in order to trigger the bug.
References:
http://marc.info/?l=oss-security&m=128619854321910&w=1http://marc.info/?l=linux-kernel&m=128596992418814&w=2

Statement:
Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-3705.
This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for SCTP. It did not affect Red Hat Enterprise Linux 4 and 5 as it did not include upstream commit 1f485649 that introduced the problem. Future kernel updates in Red Hat Enterprise MRG may address this flaw.